Skip to main content

Endpoint

This endpoint authenticates a user with email and password, returning a JWT token valid for 10 days.
POST /api/usuario/login

Request Body

Correo
string
required
The user’s email address. Email must belong to an active user account.
Password
string
required
The user’s password. Password is verified using secure hashing.

Response

Respuesta
boolean
Indicates whether the authentication was successful. Returns true on success, false on failure.
Token
string
JWT authentication token. Valid for 10 days from generation. Empty string if authentication fails.
Datos
object
User information object. Returns null if authentication fails.

JWT Token Details

The API generates JWT tokens with the following characteristics:
  • Algorithm: HMAC-SHA256
  • Expiration: 10 days from generation
  • Claims: Includes user ID (NameIdentifier claim)
  • Usage: Include token in Authorization header as Bearer {token} for authenticated requests

Example Request

curl -X POST https://api.example.com/api/usuario/login \
  -H "Content-Type: application/json" \
  -d '{
    "Correo": "[email protected]",
    "Password": "SecurePassword123"
  }'

Example Response

Success Response (200 OK)

{
  "Respuesta": true,
  "Token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1laWQiOiIxMjM0NTY3OC05MGFiLWNkZWYtMTIzNC01Njc4OTBhYmNkZWYiLCJleHAiOjE3MTAzNjQ4MDB9.Xb5h-JQZ9k7V8mNrP2wY5qL3fR6tE8sA1dC4gH0iJ9k",
  "Datos": {
    "IdUsuario": "12345678-90ab-cdef-1234-567890abcdef",
    "Nombre": "John Doe",
    "Correo": "[email protected]",
    "Rol": "Admin",
    "Activo": true
  }
}

Failed Response (200 OK)

Note: The API returns HTTP 200 even for failed authentication attempts. Check the Respuesta field to determine success or failure.
{
  "Respuesta": false,
  "Token": "",
  "Datos": null
}

Authentication Failure Reasons

The login will fail (Respuesta: false) in the following scenarios:
  1. Invalid Email: The provided email does not exist in the system
  2. Inactive Account: The user account exists but is marked as inactive
  3. Invalid Password: The password does not match the stored password hash
  4. Invalid Credentials: General authentication failure
For security reasons, the API does not distinguish between different failure reasons in the response.

Using the Token

Once you receive a token, include it in the Authorization header for subsequent authenticated requests: 
curl -X GET https://api.example.com/api/protected-endpoint \
  -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."

Security Considerations

  • Store the JWT token securely (e.g., HTTP-only cookies, secure storage)
  • Never expose tokens in URLs or logs
  • Implement token refresh mechanism before expiration
  • Use HTTPS in production to prevent token interception
  • Validate token on server-side for every protected request

Build docs developers (and LLMs) love

Get started for freeTalk to us